A persistent agent remembers, and so does the attack you let into its memory

Stateless agents forget the injection at the end of the turn. A persistent agent carries it into every session that follows.

B

Balagei G Nagarajan

3 MIN READ


A poisoned memory entry persisting across multiple agent sessions over time

Key facts.

  • Memory poisoning is a distinct, demonstrated risk: malicious content written to persistent memory influences future sessions, and a query-only attack reaches 76.8% attack success and 98.2% injection success (MINJA, 2025).
  • MINJA poisons an agent's memory via query-only interaction, reaching 76.8% attack success and 98.2% injection success, so the threat is demonstrated on real agents (MINJA, 2025).
  • Corrupted state is inherited by every downstream step, so one bad write skews many later decisions.

Why is persistent memory harder to secure than a single turn?

Because the attack and the damage are separated in time. An attacker poisons the memory in one session, and the harmful action happens days later, in a clean-looking session, triggered by the stored content. There is no obvious link between the two. Securing this means treating memory writes as a trust boundary: validate what gets stored, attach provenance to memory entries, and re-check stored content before acting on it, rather than trusting memory just because it came from a past version of the agent.

Timeline diagram showing a poisoned memory write in one session triggering a harmful action in a later session

Trusted memory vs. validated memory

Trusted memoryValidated memory
Anything written is believed laterMemory writes validated at the boundary
Poison persists silentlyStored content carries provenance
Attack and damage look unrelatedStored content re-checked before use

A persistent agent that wrote a malicious instruction to memory carries the incident forward, and a more capable model inherits the store: MINJA poisons it at 76.8%. (arXiv:2503.03704)

VibeModel's Pattern Intelligence Layer treats memory as a surface to watch: it flags when stored content steers an agent toward an action that does not fit its history, the signature of a poisoned memory surfacing. You validate what gets written and attach provenance; we catch the moment old memory starts driving new behavior. Persistence is useful, and it needs the same suspicion you give any input.

Frequently asked questions

Should I just make agents stateless?
Where you can, it removes the risk. Where memory adds real value, validate writes and re-check stored content before acting on it.

How do I detect a poisoned memory?
Watch for stored content that pushes the agent toward out-of-pattern actions, and keep provenance so you can trace a memory back to where it came from.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.